46
113
13 System regulation and leadership
13.1 System-wide regulation
From an information governance perspective, there is currently no method of regulating
the health and social care system as a whole. There are organisations that regulate
particular aspects of information governance, notably the Information Commissioner’s
Office, which has a duty to ensure organisations adhere to the Data Protection Act, and the
Care Quality Commission (CQC). The Health and Social Care Act 2012 describes the CQC’s
role in monitoring the processing of information across all providers, making the results
known to the NHS Commissioning Board and Monitor. Perhaps more importantly, the CQC
must, in exercising those functions, seek to improve the practice followed by registered
persons in relation to the processing of relevant information.
Given the importance of information governance to public trust and the dependence of the
health and social care system on data, the Review Panel saw an opportunity for monitoring
and system wide regulation of information governance. In order to achieve this, the
following existing components need to be brought together:
• CQC and the ICO should have a Memorandum of Understanding to allow the sharing of
any concerns revealed by monitoring. This should include, but not be limited to non-
notification to the ICO of an organisation processing personal information
115
and non-
adoption of a publication scheme under Freedom of Information Act 2000
116
• CQC monitoring should include but not be limited to:
– data breaches as reported to the boards of health and social care system
organisations;
– failures to take due regard for the Information Centre code for processing
confidential information;
– any failure to inform the public how their personal confidential data was
being disclosed; and
– failures of sharing or excessive sharing as reported by the Parliamentary and
Health Service Ombudsman.
• CQC monitoring of information governance should be reported annually, to allow any
improvement or deterioration in practice over time to be seen.
• The CQC annual report and the breaches reported to the ICO from the health and social
care system should be presented to the Informatics Services Commissioning Group,
which is responsible for providing advice on commissioning informatics services,
including information governance, across the health and social care system, where
action should be taken to improve a deteriorating situation through the leadership of
NHS Commissioning Board and Monitor.
115 All organisations processing personal data are legally required to register with the Information Commissioner’s Office (unless they are
exempt), all organisations providing care and therefore responsible for care records are required to register, see
http://www.ico.gov.uk/for_organisations/data_protection/notification.aspx
116 The obligation on public bodies to have a publication scheme is set out under sections 19 and 20
http://www.legislation.gov.uk/ukpga/2000/36/part/I/crossheading/publication-schemes, and is enforceable under section 52 of the FOIA
http://www.legislation.gov.uk/ukpga/2000/36/section/52
34
114
Information: To share or not to share? The Information Governance Review
The Review Panel heard that there were likely to be a large number of non-registered
providers. It would not be realistic to monitor all these providers. Therefore they should
gain access to confidential patient information only through the patient or their legal
representative.
13.2 System alignment
The Review Panel is clear that the remit for the Data Protection Act remains with the
Information Commissioner, but individual breaches or failures to share information by
registered and regulated health and social care professionals may be a failure of
professional duty.
The Review Panel concluded that the professional regulators should be involved more
often in both serious breaches and instances of poor information sharing when it is
clear it has hampered direct care.
There needs to be a way of holding the health and social care system to account on
information governance. The Health and Social Care Information Centre will be responsible
for producing and maintaining a code of practice on collecting, analysing, publishing or
disclosing confidential information. Every organisation in the health and social care system
should conform to this code.
The Review Panel concludes that the Information Centre code of practice should adopt
the standards and good practice examples contained throughout this report.
Recommendation 21
The Health and Social Care Information Centre’s Code of Practice for processing
personal confidential data should adopt the standards and good practice guidance
contained within this report.
13.3 Information governance terminology
The Review Panel found that the variety of definitions and terms relating to information
and information governance leads to confusion among both professionals and the public.
This in turn leads to misunderstandings of relevant legal duties and responsibilities and
contributes to the lack of confidence and unwillingness to share information.
The Review Panel recommends there should be an agreed set of terms and definitions
for information sharing, in line with legal definitions, for the whole health and social
care system. The aim should be that everyone, including the public, should be able to
use and understand.
19
115
13 System regulation and leadership
Recommendation 22
The information governance advisory board to the Informatics Services Commissioning
Group should ensure that the health and social care system adopts a single set of
terms and definitions relating to information governance that both staff and the
public can understand. These terms and definitions should begin with those set out in
this document. All education, guidance and documents should use this terminology.
Recommendation 23
The health and social care system requires effective regulation to ensure the safe,
effective, appropriate and legal sharing of personal confidential data. This process
should be balanced and proportionate and utilise the existing and proposed duties
within the health and social care system in England. The three minimum components
of such a system would include:
• a Memorandum of Understanding between the CQC and the ICO;
• an annual data sharing report by the CQC and the ICO; and
• an action plan agreed through the Informatics Services Commissioning Group
on any remedial actions necessary to improve the situation shown to be
deteriorating in the CQC-led annual ‘data sharing’ report.
41
117
14 Conclusions and recommendations
In addition to the findings of individual chapters, the Review Panel has reached some
overarching conclusions.
14.1 Redress
The terms of reference for this review included examination of what safeguards exist to
protect people’s confidential information and what means of redress are available if
mistakes are made. We were asked to consider whether the current safeguards and means
of redress remain sufficient to provide assurance to the public, both in terms of the duty of
care and breaches of confidence.
We have dealt with these issues in various chapters, but the Review Panel believes the
question of redress is so important that it is worth drawing the threads together. The list of
actions below set out how redress should be managed by every organisation in the health
and social care system in England from 1st April 2013:
• Individuals affected by a breach must be told what happened, how it happened, what
will be done to put matters right, and be given an apology (section 3.10 and
recommendation 5).
• Penalties should be administered via the Information Commissioner’s Office which can
impose civil monetary penalties of up to £500,000 and potentially criminal prosecution
for serious breaches of the Data Protection Act.
• If there has been a breach of section 55 of the Data Protection Act, even if the ICO
decides not to prosecute, the health or social care organisation concerned must take
remedial action; and the Care Quality Commission must assure itself that the action
has been taken and is fit for purpose.
• All data breaches should be reported to the organisation’s full senior management
board; it should report the breaches and the remedial actions in its annual report
(section 4.6).
• If there is a complaint or serious incident in which the management or recording of data
is a significant feature, then these events should be treated as data breaches
(section 12.5).
• Failure to inform the public properly on how their personal confidential data is being
shared (section 12.8: recommendation 18) should be actively monitored by the Care
Quality Commission with a view to securing an improvement in performance, with or
without the assistance of the NHS Commissioning Board and Monitor.
• If there is poor professional practice with regard to information sharing that is
hampering direct care, and if education and professional development fails to
improve matters, then organisations have a duty to involve the professional’s
regulator (section 13.1).
The Care Quality Commission’s performance in carrying out its legal duties to monitor data
sharing practice, inform the NHS Commissioning Board and Monitor, and improve practice
must be explained in a publication that demonstrates practice is improving.
36
118
Information: To share or not to share? The Information Governance Review
Recommendation 24
The Review Panel recommends that the Secretary of State publicly supports the
redress activities proposed by this review and promulgates actions to ensure that
they are delivered.
14.2 The Caldicott principles
There was widespread support for the original Caldicott principles, which are as relevant
and appropriate for the health and social care system today as they were for the NHS in
1997. However, evidence received during the review has persuaded the Panel of the need
for some updating, and inclusion of an additional principle.
Professional standards and good practice
The revised list of Caldicott principles therefore reads as follows:
1. Justify the purpose(s)
Every proposed use or transfer of personal confidential data within or from an
organisation should be clearly defined, scrutinised and documented, with
continuing uses regularly reviewed, by an appropriate guardian.
2. Don’t use personal confidential data unless it is absolutely necessary
Personal confidential data items should not be included unless it is essential for
the specified purpose(s) of that flow. The need for patients to be identified
should be considered at each stage of satisfying the purpose(s).
3. Use the minimum necessary personal confidential data
Where use of personal confidential data is considered to be essential, the
inclusion of each individual item of data should be considered and justified so
that the minimum amount of personal confidential data is transferred or
accessible as is necessary for a given function to be carried out.
4. Access to personal confidential data should be on a strict need-to-know basis
Only those individuals who need access to personal confidential data should have
access to it, and they should only have access to the data items that they need
to see. This may mean introducing access controls or splitting data flows where
one data flow is used for several purposes.
5. Everyone with access to personal confidential data should be aware of
their responsibilities
Action should be taken to ensure that those handling personal confidential
data — both clinical and non-clinical staff — are made fully aware of their
responsibilities and obligations to respect patient confidentiality.
31
119
14 Conclusions and recommendations
Professional standards and good practice (continued)
6. Comply with the law
Every use of personal confidential data must be lawful. Someone in each
organisation handling personal confidential data should be responsible for
ensuring that the organisation complies with legal requirements.
7. The duty to share information can be as important as the duty to protect
patient confidentiality
Health and social care professionals should have the confidence to share
information in the best interests of their patients within the framework set out
by these principles. They should be supported by the policies of their employers,
regulators and professional bodies.
Recommendation 25
The Review Panel recommends that the revised Caldicott principles should be
adopted and promulgated throughout the health and social care system.
14.3 Implementing the findings of the Information Governance
Review
The principles, conclusions and recommendations within this report seek to maintain the
optimum balance between safeguarding patients’ sensitive information and encouraging
responsible and appropriate sharing of information for the benefit of all users of health and
social care services. The Secretary of State for Health, and the Department of Health, are
ultimately accountable for ensuring information governance works across the system.
The Review Panel therefore concludes that the Secretary of State and the Department
of Health should oversee the implementation of the recommendations of this review,
and report on the progress made.
Recommendation 26
The Secretary of State for Health should maintain oversight of the recommendations
from the Information Governance Review and should publish an assessment of the
implementation of those recommendations within 12 months of the publication of
the review’s final report.
40
120
Information: To share or not to share? The Information Governance Review
Those recommendations are as follows:
14.4 Recommendations of the Information Governance Review
Recommendation 1 (section 2.4)
People must have the fullest possible access to all the electronic care records about
them, across the whole health and social care system, without charge.
An audit trail that details anyone and everyone who has accessed a patient’s record
should be made available in a suitable form to patients via their personal health and
social care records. The Department of Health and NHS Commissioning Board should
drive a clear plan for implementation to ensure this happens as soon as possible.
Recommendation 2 (sections 3.3 and 3.4)
For the purposes of direct care, relevant personal confidential data should be shared
among the registered and regulated health and social care professionals who have a
legitimate relationship with the individual.
Health and social care providers should audit their services against NICE Clinical
Guideline 138, specifically against those quality statements concerned with sharing
information for direct care.
Recommendation 3 (section 3.5)
The health and social care professional regulators must agree upon and publish the
conditions under which regulated and registered professionals can rely on implied
consent to share personal confidential data for direct care. Where appropriate, this
should be done in consultation with the relevant Royal College. This process should be
commissioned from the Professional Standards Authority.
Recommendation 4 (sections 3.6 and 3.7)
Direct care is provided by health and social care staff working in multi-disciplinary
‘care teams’. The Review recommends that registered and regulated social workers be
considered a part of the care team. Relevant information should be shared with
members of the care team, when they have a legitimate relationship with the patient
or service user. Providers must ensure that sharing is effective and safe. Commissioners
must assure themselves on providers’ performance.
Care teams may also contain staff that are not registered with a regulatory authority
and yet undertake direct care. Health and social care provider organisations must
ensure that robust combinations of safeguards are put in place for these staff with
regard to the processing of personal confidential data.
Recommendation 5 (section 3.10)
In cases when there is a breach of personal confidential data, the data controller, the
individual or organisation legally responsible for the data, must give a full explanation
of the cause of the breach with the remedial action being undertaken and an apology
to the person whose confidentiality has been breached.
42
121
14 Conclusions and recommendations
Recommendation 6 (section 4.6)
The processing of data without a legal basis, where one is required, must be reported
to the board, or equivalent body of the health or social care organisation involved and
dealt with as a data breach.
There should be a standard severity scale for breaches agreed across the whole of the
health and social care system. The board or equivalent body of each organisation in the
health and social care system must publish all such data breaches. This should be in the
quality report of NHS organisations, or as part of the annual report or performance
report for non-NHS organisations.
Recommendation 7 (section 5.5)
All organisations in the health and social care system should clearly explain to patients
and the public how the personal information they collect could be used in de-identified
form for research, audit, public health and other purposes. All organisations must also
make clear what rights the individual has open to them, including any ability to actively
dissent (i.e. withhold their consent).
Recommendation 8 (section 5.5)
Consent is one way in which personal confidential data can be legally shared. In such
situations people are entitled to have their consent decisions reliably recorded and
available to be shared whenever appropriate, so their wishes can be respected. In this
context, the Informatics Services Commissioning Group must develop or commission:
• guidance for the reliable recording in the care record of any consent decision an
individual makes in relation to sharing their personal confidential data; and
• a strategy to ensure these consent decisions can be shared and provide assurance
that the individual’s wishes are respected.
Recommendation 9 (section 5.9)
The rights, pledges and duties relating to patient information set out in the NHS
Constitution should be extended to cover the whole health and social care system.
Recommendation 10 (section 6.5)
The linkage of personal confidential data, which requires a legal basis, or data that has
been de-identified, but still carries a high risk that it could be re-identified with
reasonable effort, from more than one organisation for any purpose other than direct
care should only be done in specialist, well-governed, independently scrutinised and
accredited environments called ‘accredited safe havens’.
The Health and Social Care Information Centre must detail the attributes of an
accredited safe haven in their code for processing confidential information, to which
all public bodies must have regard.
The Informatics Services Commissioning Group should advise the Secretary of State on
granting accredited status, based on the data stewardship requirements in the
Information Centre code, and subject to the publication of an independent
external audit.
39
122
Information: To share or not to share? The Information Governance Review
Recommendation 11 (section 7.4)
The Information Centre’s code of practice should establish that an individual’s existing
right to object to their personal confidential data being shared, and to have that
objection considered, applies to both current and future disclosures irrespective of
whether they are mandated or permitted by statute.
Both the criteria used to assess reasonable objections and the consistent application of
those criteria should be reviewed on an ongoing basis.
Recommendation 12 (section 7.6)
The boards or equivalent bodies in the NHS Commissioning Board, clinical
commissioning groups, Public Health England and local authorities must ensure that
their organisation has due regard for information governance and adherence to its legal
and statutory framework.
An executive director at board level should be formally responsible for the
organisation’s standards of practice in information governance, and its performance
should be described in the annual report or equivalent document.
Boards should ensure that the organisation is competent in information governance
practice, and assured of that through its risk management. This mirrors the
arrangements required of provider trusts for some years.
Recommendation 13 (section 8.6)
The Secretary of State for Health should commission a task and finish group including
but not limited to the Department of Health, Public Health England, Healthwatch
England, providers and the Information Centre to determine whether the information
governance issues in registries and public health functions outside health protection
and cancer should be covered by specific health service regulations.
Recommendation 14 (section 9.2)
Regulatory, professional and educational bodies should ensure that:
• information governance, and especially best practice on appropriate sharing, is a
core competency of undergraduate training; and
• information governance, appropriate sharing, sound record keeping and the
importance of data quality are part of continuous professional development and are
assessed as part of any professional revalidation process.
Recommendation 15 (section 9.4.2)
The Department of Health should recommend that all organisations within the health
and social care system which process personal confidential data, including but not
limited to local authorities and social care providers as well as telephony and other
virtual service providers, appoint a Caldicott Guardian and any information governance
leaders required, and assure themselves of their continuous professional development.
41
123
14 Conclusions and recommendations
Recommendation 16 (section 10.3)
Given the number of social welfare initiatives involving the creation or use of family
records, the Review Panel recommends that such initiatives should be examined in
detail from the perspective of Article 8 of the Human Rights Act. The Law Commission
should consider including this in its forthcoming review of the data sharing between
public bodies.
Recommendation 17 (section 11.2)
The NHS Commissioning Board, clinical commissioning groups and local authorities must
ensure that health and social care services that offer virtual consultations and/or are
dependent on medical devices for biometric monitoring are conforming to best practice
with regard to information governance and will do so in the future.
Recommendation 18 (section 12.8)
The Department of Health and the Department for Education should jointly commission
a task and finish group to develop and implement a single approach to recording
information about ‘the unborn’ to enable integrated, safe and effective care through
the optimum appropriate data sharing between health and social care professionals.
Recommendation 19 (section 12.9)
All health and social care organisations must publish in a prominent and
accessible form:
• a description of the personal confidential data they disclose;
• a description of the de-identified data they disclose on a limited basis;
• who the disclosure is to; and
• the purpose of the disclosure.
Recommendation 20 (section 12.10)
The Department of Health should lead the development and implementation of a
standard template that all health and social care organisations can use when creating
data controller to data controller data sharing agreements. The template should
ensure that agreements meet legal requirements and require minimum resources
to implement.
Recommendation 21 (section 13.2)
The Health and Social Care Information Centre’s Code of Practice for processing
personal confidential data should adopt the standards and good practice guidance
contained within this report.
Recommendation 22 (section 13.3)
The information governance advisory board to the Informatics Services Commissioning
Group should ensure that the health and social care system adopts a single set of terms
and definitions relating to information governance that both staff and the public can
understand. These terms and definitions should begin with those set out in this
document. All education, guidance and documents should use this terminology.
Documents you may be interested
Documents you may be interested